I think so. I think it was like a functioning vault. I really don’t know what that is about. Bitwarden support said it wasn’t their site. I don’t self-host, so I have no clue what that bitswarden site is!
1 Like
Thanks for reporting this! The CS team began the process after the ticket was received and we’re continuing the investigation.
3 Likes
You’re welcome tgreer. It was a very stressful time for me. I spent around 7 hours changing all my passwords and 2FA keys, and cancelling my bank cards. I learned NOT to store any 2FA codes or recovery keys within Bitwarden - keep them strictly offline.
You really didn’t need to change all the passwords. Changing the master password is enough as your vault is actually only stored in the bitwarden server (which I really didn’t think about at first). There is no way for your database file to appear in someone else’s server.
Oops. Did I need to cancel all my bank cards? I now have no way of paying for anything or getting cash, except for the bit of cash I have in my wallet.
But surely if they had the master password they could get into the online vault and extract passwords and other sensitive data?
Not possible if you have 2FA enabled. (yubikey is almost impossible to hack through)
2 Likes
I find this terrifying!
@Merlin7, you did good (but I probably would have left ONE cc open, but with a security alert to the bank!). Also, the MAJOR lesson learned here is… USE MULTI-FACTOR AUTHENTICATION on any account you care about! This is especially true of any financial accounts, and DOUBLE TRUE for your VAULT! set-up 2FA, and DON’T store your important 2FA keys in bitwarden. Doing so, IMHO, completely circumvents the concept of “Multi-Factor!” Use your favorite Authenticator app as a true additional factor in AuthN!
@vachan, with all due respect (and anyone, please, correct me if I’m wrong), I believe @Merlin7 did not overreact. The instant the master password was exposed, BitSwarden could have pulled the entire vault within seconds.
I’m really curious what Bitwarden does about this obvious scam that is currently only being called out by FortiGuard.com! Check out all the green at https://www.urlvoid.com/scan/bitswarden.com/
2 Likes
Calling all cars!
What extension is the best at protecting from this!? I’m shocked that none of my safeguards work on this shady site!
I currently use duckduckgo and Norton, but have used several others in the past, including WOT (apparently selling user info).
What arsenal should someone use (in addition to 2FA)?
1 Like
@tgreer, PLEASE, PLEASE, PLEASE, provide actionable information to the community (a sticky post urging 2FA implementation?) and advice about tools available that would have helped @Merlin7 (and others) avoid this sneaky xploit!
1 Like
But how can a self hosted instance access the data stored on bitwarden official server.
Users who registered or created their account on bitswarden(fake site) will have their data stored on that server only.
If they go to the official bitwarden server and sign in, their account will not be available here.
Meaning the data stored on the self hosted server and the official server is completely seperate.
Just think about it. Why would users self host then?
If they had gotten access to your master password, they would have gotten access to your vault.
But you instantly noticed you were on a phishing site and changed your master password. You also had 2FA enabled.
Since, you took action instantly, your data is safe.
1 Like
Thanks for the correction, @vachan. I missed that @Merlin7 had 2FA enabled.
What a scary scenario…
Tough nut to crack since anyone can host a vault. any solution would have to account for the fact that someone could have theoretically set up bitSwarden for their own legitimate use. Unlikely, due to the URL similarity, but how to protect from this? (other than 2FA, of course)
1 Like
Sadly I had stored several 2FA recovery codes within Bitwarden, including for Bitwarden itself. This is a big mistake. I also think that storing the 2FA keys within Bitwarden is very foolish, even though it is a feature that is available. It renders 2FA worthless in some cases.
The fake site had a log-in for the 2FA. I believe the fake site was using the live input credentials to log me into the official Bitwarden Vault and then forwarded me to the official site, because after I’d logged in on the fake site, I was in my Vault. The phishing site is so courteous as to log the user into the official vault! So the user might not notice that they had their log-in stolen. This is a very high level phishing scam.
Phishing is a difficult, moving target, unfortunately.
I believe that @Merlin7 did the right thing, as they would have compromised the master password and (since they used a likely compromised/patched web client) - they could decrypt any vault data intercepted before an encryption key rotation was done.
2 Likes
HIghlights one of the problems with using password managers: you stand out as a potentially valuable target…
Could be a pretty high level scam or even state actors…
@tgreer what does Bitwarden do in cases like these? Try to block the rogue server to access BW’s server? Report it to authorities so it can be investigated?
1 Like
We’ll take a variety of steps as we’re able to from a technological/legal standpoint. Usually phishing sites are in some sort of trademark/fraud violation anyways, so their registrars are happy to help us out.
1 Like
@tgreer, FYI, I don’t know if this is your handiwork or not, but Norton has changed policy within the last hour! Glad to see it…
2 Likes
I’m feeling pretty concerned now. It seems to me that there was time, despite my quick actions, for the scammers to quickly go into my vault and download a copy of ALL my passwords and some sensitive personal information. Now, presumably, this goes to the Dark Web to be sold. 